During the last two weeks, I had the privilege to speak on cybersecurity at two industry conferences, the ARC World Industry Forum and the SANS 11th Annual ICS Security Summit. While these represent two different audiences, the sessions and conversations were strikingly similar and I think reflective of how industry is viewing ICS cybersecurity. Here are some of the consistent themes:
You must know what you have. Users and vendors alike emphasize the need for an accurate inventory as the first step in an ICS cybersecurity strategy. Managing IT-based cyber assets like workstations and routers is fairly straightforward (and there are numerous solutions on the market that address this need). However, proprietary industrial control systems are too often blind spots for plant personnel. The sentiment is that the most widely used solution for inventory today – spreadsheets – is not scalable or robust enough to track the inventory and configuration data essential for an effective ICS cybersecurity strategy.
The waters of ICS cybersecurity are getting muddier: More and more vendors are entering the ICS cybersecurity market or are touting ICS cybersecurity capabilities. The growing din of solutions is making strategic decision making more complicated for companies. I was encouraged to see ARC propose a maturity model that prescribed capabilities companies need to become more secure. SANS takes a different approach with their model by describing how to detect and block attacks at various stages/steps within the kill chain. Both are effective in helping companies gain clarity on where to focus their cybersecurity hardening efforts. The more analysts and best practice clearinghouses such as ARC and SANS can do to cut through the noise and help companies evaluate adoption opportunities, the more secure we become as an industry.
Cybersecurity is a priority, but there is greater budget scrutiny: With the downturn in oil and gas, corporate budgets continue to shrink. Although cybersecurity tends to remain well-funded, companies are applying greater scrutiny to every dollar spent and are demanding better articulation of value from technology vendors. As a solution provider, we address this with our cybersecurity offering and can show demonstrable gains in engineering productivity, reduced compliance and operational costs, and improved asset reliability and safety.
ICS cybersecurity continues to gain traction with IT and OT organizations. Companies are not waiting for an incident or regulation to take action, and are looking for standards-based technology solutions that address the gambit of cyber assets found in plants today. Conferences like ARC and SANS provide a valuable forum for industry peers to exchange ideas and keep a pulse on evolving cybersecurity standards and technology.